How not to pay the price for free Wi-Fi

Using free Wi-Fi at places like airports and coffee shops can put sensitive information and passwords at risk.

By Stephanie Rosenbloom, New York Times News Service

Sunday, June 8, 2014 | 2 a.m.

Part of globe-trotting nowadays is flitting from one free Wi-Fi network to the next. From hotel lobby to coffee shop to subway platform to park, each time we join a public network we put our personal information and privacy at risk. Yet few travelers are concerned enough to turn down free Wi-Fi. Rather, many of us hastily give away an email address in exchange for 15 minutes of free airport Internet access.

So how to feed your addiction while also safeguarding your passwords and privacy? If you're not going to abstain (and who is these days?), here are four rules for staying connected and (reasonably) safe while traveling.

1: Make sure that any site you visit has 'https' in front of the URL.

Those five letters indicate that the page is encrypted, which prevents others from seeing what you're doing. If you're browsing the Web in a Starbucks or any place with an open network and you do not see "https," it's possible that someone there with nefarious intentions can see the site you're visiting and the exact pages you request on that site.

"They can see that you're connecting to Amazon and that you're looking for remedial algebra books," said Nadia Heninger, an assistant professor of computer and information science at the University of Pennsylvania. Indeed, the only part of an e-commerce site that may be encrypted is the page where you access your account information or enter your credit card number.

Sites like Gmail.com and Yahoo.com use "https" by default, but type your password into a Web-based email site that does not use it and a third party could see (and steal) that password. There are a number of tools that allow anyone who downloads them to see all the data that flies back and forth between a browser and a Web server, said Jason Hong, an associate professor at the Human Computer Interaction Institute at Carnegie Mellon University.

2: Use your virtual private network, or VPN.

If you work for a corporation, chances are you either already have one or have a technology department that can give you one. Using a VPN essentially encrypts all your online traffic, ensuring that no one can eavesdrop. It also routes that activity through whoever owns the VPN (your employer). To access the VPN, users are typically given a name and a password and often also a constantly changing set of numbers on a fob that must be entered to access the network.

Don't have a VPN? There's Tor, software that prevents third parties from seeing your location or the sites you visit. The software can be downloaded at Torproject.org.

3: Sign up for two-step verification.

More and more sites — Facebook, Twitter, Yahoo, WordPress — allow users to set up their accounts so that signing in requires two ways of proving who they are. The most common method requires a password you create plus a code that is sent to you — via text message or through a special app — each time you wish to sign in.

For instance, let's say you logged onto a fake Facebook page and hackers captured your user name and password. If that happened without two-step verification (known on Facebook as "login approvals"), the hackers could access your account when you log off. If, however, you had enabled login approvals, even though your user name and password were captured, the hackers would not be able to log into your account because they wouldn't receive the requisite code.

4: Bring only what you need and turn off what you're not using.

The latter goes for Wi-Fi and for Bluetooth. "It's just another way to be compromised," Heninger said.

And don't give away your email address or download an app in exchange for free Wi-Fi.

"Think about the recipient of that information," she said. "You have no idea who set up that Wi-Fi network," she continued, adding "You might have just downloaded an app that will download all your contacts."

If you're seriously concerned about security, Heninger suggests creating a special travel email address and password. And she recommends buying a "travel laptop" that you load with only the information you need.